While the popularity and stock price of Zoom are both booming, the San Jose video conferencing software company is struggling with ever-unfolding privacy flaws and fresh regulatory scrutiny.
Some people might get a sardonic little chuckle out of headlines like Zoom Call with Elementary Students Hacked with Pornography or Hackers Take Over GOP Video Conference with Pornography. Maybe not parents of elementary students or Republican video conference organizers, but still, these are run-of-the-mill information security flaw pranks that by and large do not destroy people’s lives or livelihoods in our current attempts to adapt to the inability to leave the house. Yet the overnight fame and fortune of the video conferencing platform Zoom has shown a sudden and white-hot spotlight on the platform’s security flaws, the easiest of which to exploit is the conference call crashing practice that TechCrunch’s Josh Constine has dubbed “zoombombing”. That’s when trolls simply barge into someone else’s conference to post offensive content for the mere thrill of ruining everyone’s day.
Automated Zoom conference meeting finder 'zWarDial' discovers ~100 meetings per hour that aren't protected by passwords. The tool also has prompted Zoom to investigate whether its password-by-default approach might be malfunctioning https://t.co/dXNq6KUYb3 pic.twitter.com/h0vB1Cp9Tb
— briankrebs (@briankrebs) April 2, 2020
Or could zoombombing be a precursor to something vastly more sinister? The New York Times reports today that Reddit and 4Chan boards are coordinating massive Zoom harassment campaigns, a phenomenon that has already caught the attention of lawmakers and regulators. According to Politico, Connecticut senator Richard Blumenthal and at least three state attorneys general are inquiring into Zoom’s security practices, though there is no evidence that any have opened formal investigations at this point.
“We are alarmed by the Zoom-bombing incidents and are seeking more information from the company about its privacy and security measures in coordination with other state attorneys general,” Connecticut attorney general William Tong said in a statement to Politico.
Not good --> Videos reviewed by The Washington Post included 1-on-1 therapy sessions, the disclosure of personally identifiable information and nudity — in one, an aesthetician teaches students how to give a Brazilian wax. https://t.co/syKoVc55VZ
— Andrew deGrandpre (@adegrandpre) April 3, 2020
But as is oft the case, regulators may be a step or two behind the evildoers. The Washington Post has a legit terrifying story today that at least 15,000 Zoom calls have been exposed on the open web, without the knowledge of the calls' hosts and creators, and the trolls are happily uploading the pirated videos to Youtube and Vimeo. Though despite the importance of that Post report, it is behind a paywall. Because you know, Washington Post owner Jeff Bezos is having a tough time getting by right now.
Zoom raiding accounts and group chats are absolutely rampant on Instagram and Discord. Students and followers are encouraged to DM codes and login links to private classes and meetings then record their successful raid for Insta Stories https://t.co/zTDICpYEsw pic.twitter.com/JOEgmJkeXE
— Taylor Lorenz (@TaylorLorenz) April 3, 2020
But the Verge breaks down how Zoom calls are being exposed on the web, and — hey-o! — it’s an exploit of Bezos’ own Amazon Web Services naming convention that makes recorded Zoom calls available via any old online search. Zoom has apparently made aware of the exploit, but as of press time, the exploit still works to find therapy sessions, AA meetings, and many other potentially compromising Zoom sessions.
Zoom CEO Eric Yuan did issue a pseudo-apology blog post. But in true tech founder fashion, he’s “apologizing for the confusion” rather than conceding his directs may have overlooked a pretty crucial detail, and his post is preambled with four paragraphs of self-congratulation before any errors or flaws are acknowledged.
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” Yuan wrote Wednesday. “We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”
I don’t wish to paint Zoom CEO Eric Yuan as a cartoonish tech villain (as I did above with Jeff Bezos). Zoom indeed had no idea the sea-change societal overhaul of COVID-19 was coming and their platform would be used the way it would. And the streams have been working pretty well! Zoom is in their very enviable position because their competitors Skype, Google Hangouts, YouTube, and Facebook Live all had their opportunities, and blew it with ease-of-use and functionality issues. Zoom was in the right place at the right time with the right features.
But with great success and valuation comes great responsibility, perhaps more than the company was prepared to handle. Zoom needs to adapt to some extremely scary platform exploitations in a way that, well, lives to their name.
Image: Zoom
